Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security Ochestration & Automated Response

What’s New: Multiple playbooks to one analytic rule

Azure Sentinel News Editor by Azure Sentinel News Editor
November 12, 2020
in Security Ochestration & Automated Response, SOC
0
What’s New: Multiple playbooks to one analytic rule
1.6kViews

The ability to select multiple playbooks to be triggered for each Analytics Rule will change the way you use playbooks in Azure Sentinel. It will save you time, add stability, reduce risks, and increase the automation scenarios you can put in place for each security alert.

Azure Sentinel playbooks help the SOC automate tasks, improve investigations, and allow quick responses to threats. Azure Sentinel workspaces are meant to be constantly fine-tuned to be used effectively: each analytics rule is created to generate alerts on a single unique security risk; each playbook to handle a specific automation purpose. But many automation purposes can be achieved over any analytics rule. Now this can be done effectively, as this new feature enables selection of up to 10 playbooks to run when a new alert is created.

Why should I connect multiple playbooks to one analytics rule?

Move to “one goal” playbooks: Simple to develop, easy to maintain

Multiple playbooks can influence the way you plan and develop playbooks. Before this feature, if a SOC wanted to automate many scenarios to the same analytics rule, it had to create nested playbooks, or a single large playbook with complex logic blocks. Or it might create similar versions of the same playbook to be applied to different analytics rules, reusing the same functionalities.

Now, you can create as many single-process playbooks as needed. They include fewer steps and require less advanced manipulations and conditions. Debugging and testing are easier as there are fewer scenarios to test. If an update is necessary, it can be done in just the one relevant playbook. Rather than repeating the same content in different playbooks, you can create focused ones and call as many as required.

One analytics rule, multiple automation scenarios

For example, an analytics rule that indicates high-risk users assigned to suspicious IPs might trigger:

  • An Enrichment playbook will query Virus Total about the IP entities, and add the information as a comment on the incident.
  • A Response playbook will consult Azure AD Identity Protection and confirm the risky users (received as Account entities) as compromised.
  • An Orchestration playbook will send an email to the SOC to inform that a new alert was generated together with its details.
  • A Sync playbook will create a new ticket in Jira for the new incident created.

Increase your capabilities and flexibility as a MSSP

Multiple playbooks allow Managed Security Service Providers (MSSP) to add their provided playbooks to analytics rules that already have playbooks assigned, whether their own rules or their customers’. Similarly, customers of MSSPs can “mix and match,” adding both MSSP-provided playbooks and their own playbooks, to either their own rules or to MSSP-provided rules.

Get started

  1. Navigate to Azure Sentinel -> Analytics
  2. Create or Edit an existing schedule query rule
  3. Go to Automated response tab
  4. Select the multiple playbooks you would like to trigger.

It’s as simple as that!

At this point, the selected rules will run in no particular order. We are working on a new automation experience which will allow defining the order of execution as well – stay tuned.

Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-multiple-playbooks-to-one-analytic-rule/ba-p/1805846

Tags: Azure SentinelPlaybooks
Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
SOC

How to Evolve the SOC with Azure Sentinel: Hunting Queries

January 5, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
SOC

How to Grant Access to Specific Azure Sentinel Playbooks for Specific Analysts

December 31, 2020
Enriching Windows Security Events with Parameterized Function
SOC

New Private Preview Tag in Azure Sentinel

December 30, 2020
Next Post
What’s new: Microsoft 365 Defender connector now in Public Preview for Azure Sentinel

What’s new: Microsoft 365 Defender connector now in Public Preview for Azure Sentinel

SOC Prime O365 rules and more now offered free, exclusively to Azure Sentinel users

SOC Prime O365 rules and more now offered free, exclusively to Azure Sentinel users

Guided UEBA Investigation Scenarios to empower your SOC

Guided UEBA Investigation Scenarios to empower your SOC

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft renames and unifies more products under Microsoft Defender brand

What’s New: Improved Incident Closing Experience is now Available!

3 months ago
Microsoft brings endpoint & Azure security under Microsoft Defender

Categorizing Microsoft alerts across data sources in Azure Sentinel

3 months ago
Microsoft Debuts Azure Sentinel SIEM, Threat Experts Service

Microsoft Finishes Integrating Windows Defender ATP with Hexadite Buy

3 months ago
New Azure VMware Solution becomes generally available

What’s New: Azure Sentinel Threat Hunting Enhancements

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News